1. Field of the Invention
The present invention relates to the field of access control in a security domain and more particularly to credential authentication for different target resources across disparate security domains.
2. Description of the Related Art
Authentication and access control provide a secure mode of access to resources in a computing environment. In its most basic form, authentication and access control provide for credential protected access to a resource such as an application, a server, or a device. The resulting protected environment can be viewed as a security domain. A security domain can be described as a domain which uses a single user registry and associated authentication mechanisms for credential authentication.
For modest computing environments of a single security domain, authentication and access control can be managed simplistically by prompting an end user for an authentication credential—typically a user identification/password combination. More sophisticated implementations can provide for single sign-on convenience in which the end user need provide a user identification/password combination only once when prompted and the resulting credential authentication can be provided automatically to other applications requiring authentication without repeatedly prompting the end user for user credentials.
Authentication and access control can be complicated when interacting with resources in different security domains. In this regard, resources in different security domains can require different authentication credentials from the same end user. Accordingly, resources within different security domains cannot accommodate single sign-on for access control. Rather, an end user must offer authentication credentials when prompted for each resource in a different security domain.
One of the important goals of resource virtualization is being able to access variety of resources using set of standard interfaces, irrespective of different security domains to which the resources belong. In the resource management scenario, it will be apparent that various resources belong to multiple security domains. A discovery process used to discover manageable resources need not be limited to a single security domain and, oftentimes, it is necessary to authenticate into and access different resources across disparate security domains. Each different discoverable manageable resource can require not only different authentication credentials, but also can require or at least prefer a different authentication and security protocol through which the resource is to be accessed. Consequently, federating the multiple security domains during the discovery process using credential transformation services for achieving end to end security is desirable.
Recently developed systems management data processing systems provide on demand resource management solution incorporating security services aimed at providing secure end to end interactions between resource management services of the systems management data processing system and other services deployed within the environment. Resource discovery remains part and parcel of the on demand resource management solution. In any case, the security capabilities are intended to enable the secure interaction between the services of the systems management data processing system and manageable resources.
Within a systems management data processing system, mapping between authentication credentials and endpoints has not been well defined to solve the complex issues that arise with systems management. The complexity arises generally due to the necessity of managing different endpoints, on different platforms, each of a different type. However, each of the different endpoints supports different protocols and each protocol support different credential types for authentication.